<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Field level security | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'field-level-security.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/field-level-security.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/field-level-security.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/field-level-security.html" rel="nofollow" target="_blank">../en/field-level-security.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="authorization.html">User authorization</a></span>
»
<span class="breadcrumb-node">Field level security</span>
</div>
<div class="navheader">
<span class="prev">
<a href="document-level-security.html">« Document level security</a>
</span>
<span class="next">
<a href="securing-aliases.html">Granting privileges for indices and aliases »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="field-level-security"></a>Field level security<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/field-level-security.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>Field level security restricts the fields that users have read access to.
In particular, it restricts which fields can be accessed from document-based
read APIs.</p>
<p>To enable field level security, specify the fields that each role can access
as part of the indices permissions in a role definition. Field level security is
thus bound to a well-defined set of indices (and potentially a set of
<a class="xref" href="document-level-security.html" title="Document level security">documents</a>).</p>
<p>The following role definition grants read access only to the <code class="literal">category</code>,
<code class="literal">@timestamp</code>, and <code class="literal">message</code> fields in all the <code class="literal">events-*</code> indices.</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/role/test_role1
{
  "indices": [
    {
      "names": [ "events-*" ],
      "privileges": [ "read" ],
      "field_security" : {
        "grant" : [ "category", "@timestamp", "message" ]
      }
    }
  ]
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1245.console"></div>
<p>Access to the following meta fields is always allowed: <code class="literal">_id</code>,
<code class="literal">_type</code>, <code class="literal">_parent</code>, <code class="literal">_routing</code>, <code class="literal">_timestamp</code>, <code class="literal">_ttl</code>, <code class="literal">_size</code> and <code class="literal">_index</code>. If
you specify an empty list of fields, only these meta fields are accessible.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Omitting the fields entry entirely disables field level security.</p>
</div>
</div>
<p>You can also specify field expressions. For example, the following
example grants read access to all fields that start with an <code class="literal">event_</code> prefix:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/role/test_role2
{
  "indices" : [
    {
      "names" : [ "*" ],
      "privileges" : [ "read" ],
      "field_security" : {
        "grant" : [ "event_*" ]
      }
    }
  ]
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1246.console"></div>
<p>Use the dot notations to refer to nested fields in more complex documents. For
example, assuming the following document:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "customer": {
    "handle": "Jim",
    "email": "jim@mycompany.com",
    "phone": "555-555-5555"
  }
}</pre>
</div>
<p>The following role definition enables only read access to the customer <code class="literal">handle</code>
field:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/role/test_role3
{
  "indices" : [
    {
      "names" : [ "*" ],
      "privileges" : [ "read" ],
      "field_security" : {
        "grant" : [ "customer.handle" ]
      }
    }
  ]
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1247.console"></div>
<p>This is where wildcard support shines. For example, use <code class="literal">customer.*</code> to enable
only read access to the <code class="literal">customer</code> data:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/role/test_role4
{
  "indices" : [
    {
      "names" : [ "*" ],
      "privileges" : [ "read" ],
      "field_security" : {
        "grant" : [ "customer.*" ]
      }
    }
  ]
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1248.console"></div>
<p>You can deny permission to access fields with the following syntax:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/role/test_role5
{
  "indices" : [
    {
      "names" : [ "*" ],
      "privileges" : [ "read" ],
      "field_security" : {
        "grant" : [ "*"],
        "except": [ "customer.handle" ]
      }
    }
  ]
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1249.console"></div>
<p>The following rules apply:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
The absence of <code class="literal">field_security</code> in a role is equivalent to * access.
</li>
<li class="listitem">
If permission has been granted explicitly to some fields, you can specify
denied fields. The denied fields must be a subset of the fields to which
permissions were granted.
</li>
<li class="listitem">
Defining denied and granted fields implies access to all granted fields except
those which match the pattern in the denied fields.
</li>
</ul>
</div>
<p>For example:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/role/test_role6
{
  "indices" : [
    {
      "names" : [ "*" ],
      "privileges" : [ "read" ],
      "field_security" : {
        "except": [ "customer.handle" ],
        "grant" : [ "customer.*" ]
      }
    }
  ]
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1250.console"></div>
<p>In the above example, users can read all fields with the prefix "customer."
except for "customer.handle".</p>
<p>An empty array for <code class="literal">grant</code> (for example, <code class="literal">"grant" : []</code>) means that access has
not been granted to any fields.</p>
<p>When a user has several roles that specify field level permissions, the
resulting field level permissions per index are the union of the individual role
permissions. For example, if these two roles are merged:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/role/test_role7
{
  "indices" : [
    {
      "names" : [ "*" ],
      "privileges" : [ "read" ],
      "field_security" : {
        "grant": [ "a.*" ],
        "except" : [ "a.b*" ]
      }
    }
  ]
}

POST /_security/role/test_role8
{
  "indices" : [
    {
      "names" : [ "*" ],
      "privileges" : [ "read" ],
      "field_security" : {
        "grant": [ "a.b*" ],
        "except" : [ "a.b.c*" ]
      }
    }
  ]
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1251.console"></div>
<p>The resulting permission is equal to:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  // role 1 + role 2
  ...
  "indices" : [
    {
      "names" : [ "*" ],
      "privileges" : [ "read" ],
      "field_security" : {
        "grant": [ "a.*" ],
        "except" : [ "a.b.c*" ]
      }
    }
  ]
}</pre>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Field-level security should not be set on <a href="alias.html" class="ulink" target="_top"><code class="literal">alias</code></a> fields. To secure a
concrete field, its field name must be used directly.</p>
</div>
</div>
<p>For more information, see <a class="xref" href="field-and-document-access-control.html" title="Setting up field and document level security">Setting up field and document level security</a>.</p>
</div>
<div class="navfooter">
<span class="prev">
<a href="document-level-security.html">« Document level security</a>
</span>
<span class="next">
<a href="securing-aliases.html">Granting privileges for indices and aliases »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>